CalvinBackup/apple-device-management-mdm
1
0
Fork 0
mirror of https://github.com/apple/device-management.git synced 2026-02-12 17:52:47 +00:00
Code Issues Packages Projects Releases Wiki Activity

Release-v26.1

Browse Source
This commit is contained in:
Cyrus Daboo
2025-11-04 12:35:42 -08:00
parent 8d9958d9b5
commit bfcc8bbd01
21 changed files with 163 additions and 74 deletions
Download Patch File Download Diff File Expand all files Collapse all files

10
README.md
View File

@@ -8,11 +8,11 @@ This release corresponds to the following OS versions
| OS | Version |
|----------|---------|
| iOS | 26.0 |
| macOS | 26.0 |
| tvOS | 26.0 |
| visionOS | 26.0 |
| watchOS | 26.0 |
| iOS | 26.1 |
| macOS | 26.1 |
| tvOS | 26.1 |
| visionOS | 26.1 |
| watchOS | 26.1 |
## Important Release Notes

58
declarative/declarations/configurations/services.configuration-files.yaml
View File

@@ -23,16 +23,8 @@ payloadkeys:
title: Service Type
type: <string>
presence: required
content: |-
The identifier of the system service with managed configuration files. Use a reverse DNS style for this identifier. However, the system reserves `com.apple.` prefix for built-in services. The available built-in services are:
- `com.apple.sshd` configures sshd
- `com.apple.sudo` configures sudo
- `com.apple.pam` configures PAM
- `com.apple.cups` configures CUPS
- `com.apple.apache.httpd` configures Apache httpd
- `com.apple.bash` configures bash
- `com.apple.zsh` configures zsh
content: The identifier of the system service with managed configuration files.
Use a reverse DNS style for this identifier.
- key: DataAssetReference
title: Data Asset Reference
type: <string>
@@ -49,3 +41,49 @@ payloadkeys:
- Has a `Reference` key that includes the `ContentType` and `Hash-SHA-256` keys, which the system requires
The system expands the zip archive and stores the data in a well-known location for the service.
notes:
- title: ''
content: |-
The device stores the service configurations files from this configuration in a tamper-proof location. Built-in services use these files to override their default configurations.
The `DataAssetReference` refers to a zip archive that contains configuration files for a specific service. When the device applies the configuration, it downloads the asset data and expands the archive into a service-specific location. If the device updates a configuration, it downloads the new asset data and expands the data to replace what it previously installed. If the device deactivates or removes the configuration, it removes the configuration files from the service-specific directory.
All files in the expanded archive are set to -r--r--r-- unix file permissions. Any links in the archive will be restricted to referencing files within the service-specific location.
The following built-in system services use managed configuration files:
| ServiceType | Manages |
|---|---|
| com.apple.sshd | /etc/ssh |
| com.apple.sudo | /etc/sudoers |
| com.apple.pam | /etc/pam.d |
| com.apple.cups | /etc/cups |
| com.apple.apache.httpd | /etc/apache2 |
| com.apple.bash | /etc/profile |
| com.apple.zsh | /etc/zprofile |
| | /etc/zlogin |
| | /etc/zlogout |
| | /etc/zshenv |
| | /etc/zshrc |
| com.apple.cryptoTokenKit | /etc/SmartcardLogin.plist |
| com.apple.authorization | /Library/Security/ |
The files in the zip archive need to mirror the folder structure and configuration files that the service expects to be present starting at the root of the file system. The service uses only the files the declaration provides and ignores the ones in its default directories.
For example, a configuration with `ServiceType`: `com.apple.sshd` configures sshd to use the files that the `DataAssetReference` provides, instead of the files located at /etc/ssh. The corresponding zip archive needs to contain:
```
etc/
└ ssh/
├ moduli
├ ssh_config
├ ssh_config.d/
├ sshd_config
└ sshd_config.d/
└ 100-macos.conf
```
You can create an executable that uses service configuration files by calling the `mcf_service_path_for_service_type` method in the `libmanagedconfigurationfiles.dylib` system library. You pass in an identifier for your service type and the method returns the file system path for the directory that contains the corresponding service configuration files. Use those files to override the standard or default configuration the executable would otherwise use. See libmanagedconfigurationfiles.h in the macOS SDK for more detail.
> Important:
> The system reserves the `com.apple` prefix for built-in services.

22
declarative/declarations/configurations/softwareupdate.settings.yaml
View File

@@ -61,8 +61,8 @@ payloadkeys:
- supervised
type: <dictionary>
presence: optional
content: This object configures the deferral of software updates. Rapid Security
Responses aren't considered in `Major`, `Minor`, or `System` deferral mechanism.
content: This object configures the deferral of software updates. Background Security
Improvements aren't considered in `Major`, `Minor`, or `System` deferral mechanism.
subkeys:
- key: CombinedPeriodInDays
title: Combined Major/Minor Update Deferral Period
@@ -224,7 +224,7 @@ payloadkeys:
- `AlwaysOn` - automatic installations are always enabled.
- `AlwaysOff` - automatic installations are always disabled.
- key: RapidSecurityResponse
title: Rapid Security Response Settings
title: Background Security Improvement Settings
supportedOS:
iOS:
allowed-enrollments:
@@ -235,29 +235,29 @@ payloadkeys:
introduced: n/a
type: <dictionary>
presence: optional
content: These configurations set user access to interacting with Rapid Security
Responses (RSRs).
content: These configurations set user access to interacting with Background Security
Improvement.
subkeys:
- key: Enable
title: Enable Rapid Security Response Installation
title: Enable Background Security Improvement Installation
type: <boolean>
presence: optional
default: true
combinetype: boolean-and
content: |-
If set to `false`, Rapid Security Responses aren't offered for user installation. The system can still install Rapid Security Responses with `com.apple.configuration.softwareupdate.enforcement.specific` configurations.
If set to `false`, Background Security Improvements aren't offered for user installation. The system can still install Background Security Improvements with `com.apple.configuration.softwareupdate.enforcement.specific` configurations.
If set to `true`, the system offers Rapid Security Responses to the user.
If set to `true`, the system offers Background Security Improvements to the user.
- key: EnableRollback
title: Enable Rapid Security Response Rollbacks
title: Enable Background Security Improvement Rollbacks
type: <boolean>
presence: optional
default: true
combinetype: boolean-and
content: |-
If set to `false`, the system doesn't offer Rapid Security Response rollbacks to the user.
If set to `false`, the system doesn't offer Background Security Improvement rollbacks to the user.
If set to `true`, the system offers Rapid Security Response rollbacks to the user.
If set to `true`, the system offers Background Security Improvement rollbacks to the user.
- key: AllowStandardUserOSUpdates
title: Allow Standard User OS Updates
supportedOS:

4
declarative/status/device.operating-system.supplemental.build-version.yaml
View File

@@ -54,5 +54,5 @@ payloadkeys:
title: Status item value.
type: <string>
presence: required
content: The operating system's build and rapid security response versions in use
on the device, for example, `20A123a` or `20B27c`.
content: The operating system's build and Background Security Improvement versions
in use on the device, for example, `20A123a` or `20B27c`.

8
declarative/status/device.operating-system.supplemental.extra-version.yaml
View File

@@ -1,6 +1,6 @@
title: Status Device Operating System Supplemental Extra Version
description: A status report of the device's operating system's rapid security response
identifier.
description: A status report of the device's operating system's Background Security
Improvement identifier.
payload:
statusitemtype: device.operating-system.supplemental.extra-version
supportedOS:
@@ -55,5 +55,5 @@ payloadkeys:
title: Status item value.
type: <string>
presence: required
content: The operating system's rapid security response version in use on the device,
for example, `a`.
content: The operating system's Background Security Improvement version in use on
the device, for example, `a`.

8
declarative/status/softwareupdate.pending-version.yaml
View File

@@ -48,14 +48,14 @@ payloadkeys:
title: The OS version
type: <string>
presence: required
content: The OS version of the pending software update, including any rapid security
response version. This string is empty if no update is pending.
content: The OS version of the pending software update, including any Background
Security Improvement version. This string is empty if no update is pending.
- key: build-version
title: The build version
type: <string>
presence: required
content: The build version of the pending software update, including any rapid
security response version. This string is empty if no update is pending.
content: The build version of the pending software update, including any Background
Security Improvement version. This string is empty if no update is pending.
- key: target-local-date-time
title: The target local date-time
type: <string>

16
docs/errata.md
View File

@@ -2,6 +2,22 @@
This document lists errata for the YAML schema. This is used when older versions of the schema are incorrect, and a fix was made in later schema to correct the problem.
## iOS 26.1 / tvOS 26.1
### mdm/profiles/com.apple.homescreenlayout.yaml
The `IconItem` incorrectly stated the enum value was `App` but it is `Application`
## macOS 26.1
### other/skipkeys.yaml
The OSShowcase and UpdateCompleted skip keys were incorrectly marked as available in macOS 26.0. They are available beginning macOS 26.1.
### mdm/profiles/com.apple.screensaver.yaml
The `idleTime` key was incorrectly named `loginWindowIdleTime`.
## iOS 26.0
### mdm/profiles/com.apple.airplay.yaml

15
mdm/commands/information.device.yaml
View File

@@ -265,9 +265,9 @@ payloadkeys:
accessrights: AllowQueryDeviceInformation
type: <string>
presence: optional
content: The key to get the OS update rapid security response version letter,
if a rapid security response update is installed. Requires the Device Information
access right.
content: The key to get the OS update Background Security Improvement version
letter, if a Background Security Improvement update is installed. Requires
the Device Information access right.
- key: BuildVersion
supportedOS:
iOS:
@@ -301,9 +301,10 @@ payloadkeys:
accessrights: AllowQueryDeviceInformation
type: <string>
presence: optional
content: The key to get the build version for the currently installed rapid
security response. If there's no installed rapid security response, this value
is the same as `BuildVersion`. Requires the Device Information access right.
content: The key to get the build version for the currently installed Background
Security Improvement. If there's no installed Background Security Improvement,
this value is the same as `BuildVersion`. Requires the Device Information
access right.
- key: ModelName
supportedOS:
iOS:
@@ -1974,7 +1975,7 @@ responsekeys:
tvOS:
introduced: '16.1'
type: <string>
content: The OS update rapid security response version letter.
content: The OS update Background Security Improvement version letter.
- key: BuildVersion
type: <string>
content: The operating system version. Requires the Device Information access

4
mdm/commands/managed.application.feedback.yaml
View File

@@ -20,7 +20,7 @@ payload:
devicechannel: false
userchannel: true
userenrollment:
mode: forbidden
mode: allowed
tvOS:
introduced: '10.2'
accessrights: AllowAppInstallation
@@ -74,7 +74,7 @@ responsekeys:
notes:
- title: ''
content: |-
This command allows the server to get the feedback information of managed apps.
This command allows the server to get the feedback information of managed apps. In macOS 12 and later, macOS supports this command on the user channel.
The response doesn't include apps that Declarative Device Management is managing.

2
mdm/commands/media.install.yaml
View File

@@ -16,6 +16,8 @@ payload:
mode: allowed
macOS:
introduced: '10.9'
deprecated: '11.0'
removed: '11.0'
accessrights: AllowAppInstallation
devicechannel: false
userchannel: true

10
mdm/commands/system.update.available.yaml
View File

@@ -220,7 +220,7 @@ responsekeys:
introduced: '16.2'
type: <boolean>
presence: required
content: If `true`, this update is a Rapid Security Response.
content: If `true`, this update is a Background Security Improvement.
- key: SupplementalBuildVersion
supportedOS:
iOS:
@@ -231,8 +231,8 @@ responsekeys:
introduced: '16.2'
type: <string>
presence: optional
content: The build version for the Rapid Security Response update, for example,
`13A999`, which is the same as `Build`.
content: The build version for the Background Security Improvement update, for
example, `13A999`, which is the same as `Build`.
- key: SupplementalOSVersionExtra
supportedOS:
iOS:
@@ -243,8 +243,8 @@ responsekeys:
introduced: '16.2'
type: <string>
presence: optional
content: The Rapid Security Response OS version suffix, for example, `(a)`.
Only present if this is a Rapid Security Response update.
content: The Background Security Improvement OS version suffix, for example,
`(a)`. Only present if this is a Background Security Improvement update.
notes:
- title: ''
content: |-

2
mdm/commands/system.update.schedule.yaml
View File

@@ -68,7 +68,7 @@ payloadkeys:
The version of the update, which the system requires if `ProductKey` isn't present. This value is available in iOS 11.3 and later, macOS 12 and later, and tvOS 12.2 and later.
> Note:
> This value isn't available for use with Rapid Security Response (RSR) updates.
> This value isn't available for use with Background Security Improvement updates.
- key: InstallAction
type: <string>
presence: required

2
mdm/commands/user.configured.yaml
View File

@@ -10,7 +10,7 @@ payload:
supervised: true
requiresdep: true
sharedipad:
mode: allowed
mode: required
devicechannel: false
userchannel: true
userenrollment:

40
mdm/profiles/com.apple.applicationaccess.yaml
View File

@@ -1052,7 +1052,8 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If `false`, the system disables content caching.
content: If `false`, the system disables content caching. This restriction is not
supported on the user channel.
- key: allowContinuousPathKeyboard
title: Allow Continuous Path Keyboard
supportedOS:
@@ -2837,7 +2838,7 @@ payloadkeys:
default: true
content: If `false`, the system disables Apple Music Radio.
- key: allowRapidSecurityResponseInstallation
title: Allow Rapid Security Response Installation
title: Allow Background Security Improvement Installation
supportedOS:
iOS:
introduced: '16.0'
@@ -2859,9 +2860,9 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If `false`, the system prohibits installation of rapid security responses.
content: If `false`, the system prohibits installation of Background Security Improvements.
- key: allowRapidSecurityResponseRemoval
title: Allow Rapid Security Response Removal
title: Allow Background Security Improvement Removal
supportedOS:
iOS:
introduced: '16.0'
@@ -2883,7 +2884,7 @@ payloadkeys:
type: <boolean>
presence: optional
default: true
content: If `false`, the system prohibits removal of rapid security responses.
content: If `false`, the system prohibits removal of Background Security Improvements.
- key: allowRCSMessaging
supportedOS:
iOS:
@@ -3251,7 +3252,7 @@ payloadkeys:
presence: optional
default: true
content: If `false`, the system prevents modification of Time Machine settings in
System Settings.
System Settings. This restriction is not supported on the user channel.
- key: allowUIAppInstallation
title: Allow App Installation from App Store
supportedOS:
@@ -3411,7 +3412,7 @@ payloadkeys:
content: If `false`, the system allows iOS devices to always connect to USB accessories
while locked. In macOS, allows new USB and Thunderbolt accessories, and SD cards
to connect without authorization. If the system has Lockdown mode enabled, it
ignores this value.
ignores this value. This restriction is not supported on the user channel.
- key: allowVideoConferencing
title: Allow Video Conferencing
supportedOS:
@@ -4430,6 +4431,31 @@ payloadkeys:
- `0`: None
This restriction will require supervision in a future release.
- key: ratingAppsExemptedBundleIDs
title: Apps Exempted from Rating Restrictions
supportedOS:
iOS:
introduced: '26.1'
allowmanualinstall: false
userenrollment:
mode: forbidden
macOS:
introduced: n/a
tvOS:
introduced: n/a
visionOS:
introduced: n/a
watchOS:
introduced: n/a
type: <array>
presence: optional
content: If present, the system exempts apps with bundle IDs in the array from age-based
rating restrictions. The system uses intersection combine rules to combine multiple
payloads and any exceptions that parental control apps provide, including ScreenTime.
subkeys:
- key: ratingAppsExemptedBundleID
title: Exempted App
type: <string>
- key: ratingMovies
title: Movies Ranking Number
supportedOS:

2
mdm/profiles/com.apple.declarations.yaml
View File

@@ -57,7 +57,7 @@ payloadkeys:
notes:
- title: ''
content: |-
This profile applies a set of declarations to the device. This allows a user to install declarations without requiring an MDM enrollment. A configuration profile containing this payload type can't be installed by a device management server. Device management servers need to use declarative device management to install declarations.
This profile applies a set of declarations to the device. Users use this profile to install declarations without requiring an MDM enrollment. A device management server can't install a configuration profile containing this payload type. Device management servers need to use declarative device management to install declarations.
> Important:
> When a user installs the profile, the device only applies configuration declarations that allow a "local" enrollment. Consult the documentation for each configuration type to see if you can use it.

3
mdm/profiles/com.apple.extensiblesso.yaml
View File

@@ -188,7 +188,8 @@ payloadkeys:
introduced: n/a
type: <dictionary>
presence: optional
content: The dictionary to configure Platform SSO.
content: The dictionary to configure Platform SSO. Requires `Type` to be set to
`Redirect`.
subkeys:
- key: AuthenticationMethod
type: <string>

2
mdm/profiles/com.apple.homescreenlayout.yaml
View File

@@ -43,7 +43,7 @@ payloadkeys:
type: <string>
presence: required
rangelist:
- App
- Application
- Folder
- WebClip
content: The type of the Dock item.

6
mdm/profiles/com.apple.loginwindow.yaml
View File

@@ -67,7 +67,8 @@ payloadkeys:
type: <array>
presence: optional
content: The list of user GUIDs or group GUIDs of users that the system allows to
log in. An asterisk (`*`) string specifies all users or groups.
log in. An asterisk (`*`) string specifies all users or groups. This only applies
to network accounts and mobile accounts.
subkeys:
- key: AllowListItem
type: <string>
@@ -77,7 +78,8 @@ payloadkeys:
type: <array>
presence: optional
content: The list of user GUIDs or group GUIDs of users that the system disallows
to log in. This list takes priority over the list in the `AllowList` key.
to log in. This list takes priority over the list in the `AllowList` key. This
only applies to network accounts and mobile accounts.
subkeys:
- key: DenyListItem
type: <string>

2
mdm/profiles/com.apple.screensaver.yaml
View File

@@ -43,7 +43,7 @@ payloadkeys:
unlock or stop the screen saver (the grace period). A value of `2147483647` (for
example, `0x7FFFFFFF`) disables this requirement. To use this option, you must
set `askForPassword` to `true`. Available in macOS 10.13 and later.
- key: loginWindowIdleTime
- key: idleTime
type: <integer>
presence: optional
content: The number of seconds of inactivity before the screen saver activates (0

2
mdm/profiles/com.apple.vpn.managed.appmapping.yaml
View File

@@ -9,7 +9,7 @@ payload:
introduced: '10.9'
multiple: false
devicechannel: true
userchannel: false
userchannel: true
requiresdep: false
userapprovedmdm: false
allowmanualinstall: true

19
other/skipkeys.yaml
View File

@@ -51,20 +51,20 @@ payloadkeys:
type: <string>
presence: optional
content: The key to skip the Action Button configuration pane.
- key: AdditionalPrivacySettings
title: Skip Additional Privacy Settings pane
- key: AgeBasedSafetySettings
title: Skip Age Based Safety Settings pane
supportedOS:
iOS:
introduced: n/a
introduced: '26.1'
macOS:
introduced: '26.0'
introduced: n/a
tvOS:
introduced: n/a
visionOS:
introduced: n/a
type: <string>
presence: optional
content: The key to skip the Additional Privacy Settings pane.
content: The key to skip the Age Based Safety Settings pane.
- key: Android
title: Prevents migration from Android device
supportedOS:
@@ -346,7 +346,7 @@ payloadkeys:
iOS:
introduced: '26.0'
macOS:
introduced: '26.0'
introduced: '26.1'
tvOS:
introduced: n/a
visionOS:
@@ -442,6 +442,7 @@ payloadkeys:
supportedOS:
iOS:
introduced: '18.4'
always-skippable: false
macOS:
introduced: n/a
tvOS:
@@ -450,7 +451,9 @@ payloadkeys:
introduced: n/a
type: <string>
presence: optional
content: The key to skip the Safety and Handling pane.
content: The key to skip the Safety and Handling pane. This pane isn't always skippable
because it appears before the device retrieves the Cloud Configuration from the
server.
- key: ScreenTime
title: Skip Screen Time pane
supportedOS:
@@ -626,7 +629,7 @@ payloadkeys:
iOS:
introduced: '14.0'
macOS:
introduced: '26.0'
introduced: '26.1'
tvOS:
introduced: n/a
visionOS: